Feedback to Guidelines 07/2020 on the concepts of controller and processor in the GDPR Version 
1.0 Adopted by EDPB on 02 September 2020 


In my opinion: 

- document should include explanation if any rules apply to limitation of the controller-processor 
"chain of processing". Given GDPR Article 5(1)b and Article 5(1)f - data minimisation and 
confidentiality should apply. It implies, that minimisation of data processing itself should apply too. 
Every new entity in processing chain produces security risks, lessens confidentiality and generates 
more data about data subjects in practise. Every contract is formal document only, but every data 
transfer, every extension of processing chain provides factual risks. So giving general rules of the 
GDPR, there should be limitations of controllers when they can exercise their right to use processor. 
For example: Company A could provide e-mail service to his employees using internal resources, 
but decides to use cloud service as processor. It directly affects their employees and if they don't 
agrees with providing their correspondence to specific company, they must quit the job. 


- What rules apply to a processor on separation of processed data from different controllers? 
Processor provides same service to many customers in role of controllers. But there is no rule to 
measure if company comply with general GDPR rules that they cannot process data against means 
of given controller (e.g. mix them, enhance by other sources etc). 


- Can processor anonymise data and use them for their purposes without consent from controller? 


- Article 111. impact will be - type of personal data will be broadly misused to most vague 
description possible. It's against purpose of GDPR and so types of personal data should be specific 
as possible. e.g. health records in an unstructured text form including diagnosis, procedures, 
medical prescriptions, causes of medical state etc.; health records - diagnoses in structured form 
with lookups to ICD. 


